Press "Enter" to skip to content

Category: Security

Authenticate to Fabric Data Connections via Key Vault Secrets

Published 2025-05-05 by Kevin Feasel

Aditya Jain announces a preview:

Azure Key Vault support in Fabric Data connections is now in preview! With this capability, we are introducing a new concept called ‘Azure Key Vault references’ in Microsoft Fabric, using which, users can reuse their existing Azure key vault secrets for authentication to data source connections instead of copy-pasting passwords, slashing credential-management effort and audit risk.

Click through to see what works so far and the current limitations.

Comments closed

Permissions to Execute Fabric Data Factory REST API Calls

Published 2025-05-01 by Kevin Feasel

Andy Leonard doesn’t need to ask for permission:

The problem we are trying to solve is: Grant an Azure Data Factory permission to execute the ReST API method calls against artifacts in a Fabric workspace.

I begin visiting the Azure Portal. If you don’t have an Azure account, you can create one. You can do a lot of things in Azure for little money, but you need an account and that account needs to be secured by a working source of funds in case you leave a virtual machine running for days. Hypothetically. BE CAREFUL. DO NOT LEAVE A VM RUNNING FOR DAYS.

Good en passant advice. I once blew through a $250 Azure credit by laving an HDInsight cluster on for, uh, a few hours.

Comments closed

How Random are SQL Server Random Functions?

Published 2025-04-24 by Kevin Feasel

Rick Dobson publishes a book of guaranteed random numbers, like 41 and 8:

Microsoft provides T-SQL developers with three functions (rand, newid, and crypt_gen_random) for generating random numbers. Each of these functions is effective at returning random values, but feature sets associated with each function make them best suited to different use cases. This tip’s Solution section presents an overview of common use cases for random numbers in SQL Server along with references to learn more about random numbers in SQL Server. The first substantive provides a short comparative overview of the three functions. The remaining tip sections present and describe T-SQL examples for evaluating the randomness of values returned by SQL Server pseudorandom number generators.

Knowing that SQL Server doesn’t have some nice entropy engine (which does exist, typically as an embedded device that plugs in to a USB port) to pull from, it does a pretty good job of things.

Comments closed

Contained Database Users and Creating Logins

Published 2025-04-24 by Kevin Feasel

Rob Sewell does a bit of testing:

A contained user can create a Windows login as its own account, although as it cannot grant connect permissions it is then is unable to connect at all.

So if your vendor application is running as a contained user and during an upgrade it tries to create a login for itself, it will succeed in the creation but then be unable to connect to the SQL Server instance and the upgrade will fail.

Click through for the context and the proof.

Comments closed

Securing SQL Server Backups to Azure via Managed Identity

Published 2025-04-24 by Kevin Feasel

Arun Sirpal doesn’t want to generate a SAS token:

I do believe most people know about the ability to backup your SQL server databases to URL (from Azure VMs).  If you recall you would use the storage key ( ideally not) or a SAS token, from there you would create a SQL credential that is bound to the SAS token (as a secret). Lots of moving parts especially when it comes to rotation time. So now, if you are on the newer versions of SQL server (SQL Server 2022 Cumulative Update 17 ) start thinking about backups via managed identities.

Click through to learn how and why.

Comments closed

Securing Parquet Files

Published 2025-04-17 by Kevin Feasel

Vamshidhar Morusu writes on vulnerabilities:

Although open-source Java libraries are essential for contemporary software development, they frequently introduce serious security flaws that put systems at risk. The risks are highlighted by recent examples:

  • Deep Java Library (CVE-2025-0851): Attackers can write files outside of designated directories due to a path traversal vulnerability in DJL’s archive extraction tools. Versions 0.1.0 through 0.31.0 are affected by this vulnerability, which may result in data corruption or illegal system access. Version 0.31.1 has a patch for it.
  • CVE-2022-42003, Jackson Library: Unsafe serialization/deserialization configurations in the well-known JSON parser cause a high-severity problem (CVSS 7.5) that could result in denial-of-service attacks.

These illustrations highlight how crucial it is for open-source libraries to have careful dependency management, frequent updates, and security audits. Companies should enforce stringent validation and use automated vulnerability scanning tools.

Click through for a more detailed view of a third CVE, as well as tips to protect your data.

Comments closed

Behind the Scenes in Developing a Cassandra Password Validator

Published 2025-04-17 by Kevin Feasel

Stefan Miklosovic walks us through a new feature in Apache Cassandra:

Here’s the problem: while users have always had the ability to create whatever password they wanted in Cassandra–from straightforward to incredibly complex and everything in between–this ultimately created a noticeable security vulnerability.

While organizations might have internal processes for generating secure passwords that adhere to their own security policies, Cassandra itself did not have the means to enforce these standards. To make the security vulnerability worse, if a password initially met internal security guidelines, users could later downgrade their password to a less secure option simply by using “ALTER ROLE” statements.

Read on to see how CEP-24 helps with this. It looks like CEP-24 will be released in Apache Cassandra 5.1.

Comments closed

SID Mismatches on SQL Server Logins

Published 2025-04-16 by Kevin Feasel

Chad Callihan fixes a mismatch:

Just as you can’t judge a book by its cover, you can’t judge a SQL Server login by its name.

With availability groups, you may notice a login on a primary replica and a “matching” login on the secondary replica. But just because the login is named the same on each replica doesn’t mean they’re the same to SQL Server.

Click through for the explanation and how you can fix it. The other way to fix it is to use Active Directory (or Entra ID) logins, though that’s not always in the cards.

Comments closed

A Required Privilege Is Not Held by the Client

Published 2025-04-15 by Kevin Feasel

Rebecca Lewis runs into a permissions error:

I received an email from a customer yesterday regarding their Replication, which began failing with this error after Windows updates were applied:

Message Replication-Replication Transaction-Log Reader Subsystem: agent servername-xxx2 failed. Executed as user: domainname\svcaccount. A required privilege is not held by the client. The step failed.

Slightly dummied, but the important content is in red.  What does that mean?  ‘A required privilege is not held by the client’… he didn’t change anything, I didn’t change anything – why is Replication suddenly failing with permissions problems?

Click through for the answer.

Comments closed

Locking Down a PostgreSQL Database

Published 2025-04-07 by Kevin Feasel

Thom Brown shares some advice:

As you may have heard, there are reportedly over 1,500 PostgreSQL servers that have been exploited to mine Bitcoin. And your server could be next if you haven’t taken precautions. Firstly, you need to update to the latest minor release, just so no known exploitable bugs exist on your system. But regardless of whether you update, your PostgreSQL instance could still be misconfigured in a way that would allow unwelcome visitors access, so you need to make sure you shore up your defenses. Here are some steps you should take.

Click through for some solid guidance.

Comments closed